Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Fresh Look at Vista's User Account Control

Zonk posted more than 8 years ago | from the let-me-in dept.

332

Art Grimm writes to mention a post at Ed Bott's Microsoft Report on ZDNet. There, he talks about Vista's User Account Control, and the issues he sees with the setup as it exists now. From the article: "The UAC prompts I depicted in the first post are those that appear when you install a program, when you run a program that requires access to sensitive locations, or when you configure a Windows setting that affects all users. But as many beta testers have discovered, UAC prompts can also show up when you perform seemingly innocent file operations on drives formatted using NTFS. In this post, I explain why these prompts appear and why some so-called Windows experts miss the obvious reason (and the obvious fix)."

cancel ×

332 comments

Windows Expert? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15265299)

Wouldn't that be considered an oxymoron?

How annoying (5, Informative)

kimvette (919543) | more than 8 years ago | (#15265304)

Could they possibly make that "article" any more annoying? They'd have been better-served to turn it into a flash-animated slide show. I'm not going to click all the way through that thing.

Either put it all on one or two pages (interspersed with ads if you must), or put it into a slide show if the article is written as a slide show.

Re:How annoying (1, Informative)

Anonymous Coward | more than 8 years ago | (#15265336)

You beat me to it. I have no problem with long articles being broken up but this one is like two sentences, a picture and a "more" button. Screw you, ZDNet.

Re:How annoying (5, Funny)

AKAImBatman (238306) | more than 8 years ago | (#15265387)

this one is like two sentences, a picture and a "more" button.

I think he was trying to capture the "flavor" of Windows Vista. i.e. You'll be spending 90% of your time clicking...

(Click Next to Continue)

through...

(Click Next to Continue)

the dialog...

(Click Next to Continue)

boxes. Each one of...

(Click Next to Continue)

these boxes...

(Click Next to Continue)

will annoy you with something else...

(Click Next to Continue)

incredibly trivial.

Re:How annoying (1)

charleste (537078) | more than 8 years ago | (#15265382)

I had to see this for myself! To quote Keanu Reeves: "Whoa!". That was bad. What if I don't have good short term memory? This format, of course, would only be profitable if the ads were for munchies :-) I did wade through the article (retaining what I could) and it just seemed to be either a scare tactic for Joe User OR a warm-fuzzy - I guess depending on the users initial perspective.

Re:How annoying (-1, Flamebait)

kimvette (919543) | more than 8 years ago | (#15265392)

How the FUCK is that flamebait?

Focus on modding up, not down. And don't mis-use the "Flamebait" tag. I thought my post was pretty darn insightful, if off topic, which might possibly be a better selection than flamebait.\

Don't throw away your mod points, n00b.

Re:How annoying (-1, Offtopic)

eln (21727) | more than 8 years ago | (#15265429)

Don't complain about moderations on your own posts, n00b (I know, you had a double-digit account number but you lost the password). You're only making yourself look like a whiner, and the most common outcome is that your complaint will get modded down along with your original post (as well as my reply).

Re:How annoying (-1, Offtopic)

kimvette (919543) | more than 8 years ago | (#15265522)

No, my first account was a seven-digit number. *shrug* And as far as my complaint getting modded down, that would be well-deserved, but my comment about the article should not have been modded flamebait, because it was NOT flamebait.

Re:How annoying (0, Offtopic)

kimvette (919543) | more than 8 years ago | (#15265625)

That was not flamebait either, off-topic at worst. We can continue this until you run out of mod points.

Re:How annoying (1)

azav (469988) | more than 8 years ago | (#15265444)

You're correct. It was an annoying article and with no real solution either.

Bascally, it goes like this: Here's something that sucks and here's no idea solution for it. All spread over three pages that should have been one that a reader could scroll through.

Must be a slow news day.

And on a cooler note about cooler things...
http://www.apple.com/science/profiles/hiperwall/ [apple.com]

This is not flamebait, someone mod it back up (2, Informative)

moultano (714440) | more than 8 years ago | (#15265425)

When I first clicked on the article, I couldn't even figure out immediately where the rest of it was. It was like 90% crap, a tiny bit of text, and a tiny more link that disappeared amidst all of the crap.

Re:How annoying (1)

Gannoc (210256) | more than 8 years ago | (#15265437)

Agreed. I stopped reading after three slides. Was the content on MAYBE 1/8th of the page? Screw ZDNet.

Re:How annoying (1)

drpimp (900837) | more than 8 years ago | (#15265460)

What even is more annoying is the way it appears to work. I got annoyed just looking at those annoying Vista warning screen shots.

Re:How annoying (5, Insightful)

causality (777677) | more than 8 years ago | (#15265519)

Sorry guys, I have karma to burn so take your moderator frustrations out on me if you must, but that moderation is bullshit (and damn do mods seem to dislike it when you point this out). Flamebait? What strong belief does it blatently attack in an attempt to start a verbal war? Try reading the FAQ [slashdot.org] you fucks. Articles like this are shit, and I am also not going to continue viewing this article because I do not wish to knowingly reward shit with ad revenue dollars -- yes, you see, there is a decision to make here involving voting with your feet and whether you wish or do not wish to reward something with real $$. Just think about the kind of traffic the Slashdot Effect generates for a site and its advertisers. Therefore, if anything, kimvette is doing me a favor, and I suspect I am not the only person who can say that. So anyway, it is likely that calling bullshit when I see it, in the only forum in which I can do so (seeing how I do not have mod points right now and there is no section here devoted to discussing this sort of thing) will cost me a few points, but oh well.

Slashdot badly needs a way to moderate articles themselves, and "-1 Conflict of Interest" (for obvious attempts to drive traffic to sites that just happen to be ad-supported and also just happen to be owned by the person who submitted the article) and "-1 Excess Pagination" need to be two of the categories. I'm not even going to mention dupes.

Re:How annoying (1)

aztec rain god (827341) | more than 8 years ago | (#15265544)

I looked at two pages of the bloody thing and had to go lie down for a while.

This is not a good approach (5, Insightful)

jawtheshark (198669) | more than 8 years ago | (#15265305)

Franky... Nobody is "Administrator" of the machine anymore? (Administrators Group is not enough) Really? So essentially, they reduced the "Administrators" groups to "Well, you can admin, but you have to know what you do, and we'll annoy the hell out fo you".

The whole point of Administrator is that you know what you do and you can Admin a machine securely. I know Joe Sixpack doesn't know how to, but doing this will put Admins all over the world in the place of "Limited User". In the end our Dear Joe Sixpack will just click and click until the task is done anyway. He will be frustrated and will get spyware anyway.

What we need is the equivalent of a Car Mechanic for administration. You call your mechanic and he'll do the maintenance for a fee. Frankly, it's the only way for home users.

Oh, and those that say that you can't run in Limited User on XP (as in the fine article is stated) are completely ignorant. I'm running Limited right now, and I have no problem. Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard. The only program I've never been able to run as non-admin is a game called "Children Of The Nile", and I still don't know how to run it as a Limited User. The user that needed it got the "Run As" option checked in the shortcut. Sure she has Admin access that way, but she's my sister and knows that she shouldn't run Admin.

No, all problems are just the cause of the legacy of poor security in the past. Nagging dialogboxes won't help.

Re:This is not a good approach (2, Interesting)

kimvette (919543) | more than 8 years ago | (#15265364)

And, it's unlikely that Quickbooks will run as Limited User in Vista. See the URL in my sig (it is not my site, just conveniently appropriate for this thread)

Re:This is not a good approach (1)

Orrin Bloquy (898571) | more than 8 years ago | (#15265377)

Tell me how to get Monsters Inc. Scream Team Training to run on a non-admin account without me manually entering an admin pw into Run As... every time and I'll be unbelievably grateful.

Re:This is not a good approach (1)

Tibor the Hun (143056) | more than 8 years ago | (#15265418)

pfft. easy-peasy...
write it down on a sticky and teach your kid to type it in.
call it Monsters Inc. admin rights access team training.
kids will love it.

Re:This is not a good approach (2, Informative)

jawtheshark (198669) | more than 8 years ago | (#15265468)

I have no idea... BUT... If you're running WinXP Pro, go to the folder where it is installed and give "Full" access rights to "Users". If that doesn't work, go into regedit (assuming XP Pro...otherwhise go to regedt32) and look for registry entries in HKEY_LOCAL_MACHINE related to your program. Grant them full access rights to "User" on that part of the tree. 99% of the programs I have encountered will work then. You could say that security is compromised because a normal user could kill the program. That is true, but the application programmers are to blame for that.

If you have XP Home, read up on cacls [microsoft.com] . Alas, in XP Home it is hard to configure access control on folders.
For example:
C:\> cacls C:\MyFolder\ /T /E /G Users:F

Re:This is not a good approach (3, Insightful)

Ucklak (755284) | more than 8 years ago | (#15265561)

You've just explained how complicated Windows permissions are to use over Mac and *nix.

Re:This is not a good approach (5, Informative)

Gnavpot (708731) | more than 8 years ago | (#15265516)

Tell me how to get Monsters Inc. Scream Team Training to run on a non-admin account without me manually entering an admin pw into Run As... every time and I'll be unbelievably grateful.
If you are on XP Pro (not XP Home), you should look into the '/savecred' option for the command line version of RunAs.

First time a program is started with 'runas /savecred /user:administrator', you will be prompted for the administrator password. The next time this command is used to start the program, XP will remember that this user is allowed to run the program with administrator priviledges and will not ask for a password. To make things a little more convenient and self-explanatory, you can put the command into a .bat file, make a shortcut to the .bat file and select the program's icon for the shortcut.

It is certainly not a perfect solution, but it can solve some problems.

However, you should not use this solution if you don't trust the user. I am almost certain that the program can be replaced with another program with the same name without revoking the priviledges.

Re:This is not a good approach (5, Informative)

laplandsix (850999) | more than 8 years ago | (#15265556)

Right click the shortcut and prepend the following:

C:\WINDOWS\system32\runas.exe /savecred /user:administrator
The first time you run the app it'll prompt you for the admin password (in an UGLY ass dos box) after that it'll run with no prompting. Honestly, this isn't rocket science. Not quite as slick as suid, but it works. Until you change the admin password of course.

Run on non-admin account without manually entering (1)

CyberSlugGump (609485) | more than 8 years ago | (#15265612)


You can use the free program AutoIt [autoitscript.com]

; Example AutoIt script to run a program as admin
RunAsSet("Administrator", "", "adminpassword")
Run("C:\Program Files\example\foo.exe")
RunAsSet()

The script can be compiled into a stand-alone executable so that you don't need your password sitting in a plain text file on your hard drive [autoitscript.com]

No one says that you cannot. (5, Insightful)

khasim (1285) | more than 8 years ago | (#15265426)

Oh, and those that say that you can't run in Limited User on XP (as in the fine article is stated) are completely ignorant.
What the article actually said was:
When you use Windows XP, you are almost certainly using an account that belongs to the Administrators group. (The challenges of running as a Limited user in XP are well documented.)
What was that about "ignorant"?
Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard.
Go ahead and ask 100 people on the street whether they use Windows and whether they know what an ACL is and how to change it.

Running as a Limited User is not impossible.

It just requires spending a LOT of time and effort to LEARN how to do so ...

and that pre-supposes that the person understands the risk of running as Administrator.

So, someone has to already be aware of the threat ...
Then that person has to choose to try to avoid that threat ...
Then, then that person has to spend time becoming further educated ...
Then, then, then that person has to spend time fixing the ACL's and such.

Or just choose to run as Administrator and all those problems go away (and you get new problems, but all your apps run).

Re:No one says that you cannot. (1)

jawtheshark (198669) | more than 8 years ago | (#15265503)

My point was that the additional warning will add nothing. That is why I added the "Mechanic" part. People need an expert to service their machines. I'm the mechanic of my family and nobody has problems.

The additional prompts do nothing.

Damn, slashdot is getting a MS-fanboy club.

Re:No one says that you cannot. (1)

greed (112493) | more than 8 years ago | (#15265547)

Go ahead and ask 100 people on the street whether they use Windows and whether they know what an ACL is and how to change it.

It doesn't help that one of the features left out in XP Home Edition is the ACL Editor. Sure, it's obtuse and hard to figure out--but it's a damn sight simpler than trying to get anywhere with CACLS.EXE.

It would be one thing to leave out the ACL Editor (and the advanced features of the user editor, you know, like more than "Limited" and "Administrator" choices) from XP Home Edition if the underlying operating system didn't have those concepts, either. But, all the system features all there, you just really, really, really have to know how to drive the command line and/or hack the registry to do the work.

Frankly, I think it's fairly repellent that Microsoft wants a premium price for those two features--for an "advanced" home user, those are pretty much the only useful things in XP Professional. (Nearly everything else is relevant only for those working in Windows Server domains.)

Re:No one says that you cannot. (2, Informative)

Mancat (831487) | more than 8 years ago | (#15265613)

You can gain access to the "Security" tab in XP Home by installing NT Security Configuration Manager:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ tools/scm/SCESP4I.EXE [microsoft.com]

Run the executable and extract it to a folder, then open the folder. Right-click on "setup.inf," click Install, and restart once it's done. Works with all service pack levels of Home.

Two Words (3, Insightful)

SuperKendall (25149) | more than 8 years ago | (#15265471)

Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard.

Your Momma.

As in, ask Your Momma to do that.

You see, my mother uses a Mac and is able to install updates herself and keep things running just fine, all without knowing what an ACL is much less how to set it.

Saying the average user needs the equivilent of a car mechanic to deal with computers is just sweeeping the issue under the rug and letting Microsoft off the hook for a half-assed solution to the problem. And also ignoring there are a hell of a lot more people that can fix thier own car problems than computer issues.

Re:Two Words (1)

jawtheshark (198669) | more than 8 years ago | (#15265568)

Oh, is it sweeping the issue under a carpet? Is it really? NO IT IS NOT! A computer is sensitive equipement that needs adequate servicing, exactly like a car. The thing is that nobody seems to understand that!

Administrator access is something a normal user should not have. My wifes computer was spyware ridden machine until she met me. I'm the mechanic... I know how to fix it. Hey, I can't service my own car. I pay someone to do it. My wife would have had to pay for someone to secure her computer too! Except, such services do not exist.... (Not really, at least)

Installing an application is not something a normal user should do, and that is all I have to say. If you do not agree... then fine...

Your mommy has a Mac.... That's fine... but how Mircosoft has handled security, there is no way to go to the "Mac Way". My Mommy has a WinXP machine and she doesn't need any intervention either. Go figure... (Of course, that's partially because of the OpenBSD firewall and the obligation of useing Firefox)

Re:This is not a good approach (1)

PenisLands (930247) | more than 8 years ago | (#15265512)

Nagging dialogboxes won't help.

Absolutely. Recently I was watching my dad use his computer, which is kind of messed up at the moment. Some kind of dialogue box with information came up and he just clicked "OK" without reading what it said. I asked why he did that and he said "Oh, sorry. Well, you couldn't do anything, the only option was 'OK'".
Seems like users have learned to blindly click yes or whatever options there are on nagging dialogue boxes that appear at you.

Re:This is not a good approach (0)

Anonymous Coward | more than 8 years ago | (#15265635)

Oh, and those that say that you can't run in Limited User on XP (as in the fine article is stated) are completely ignorant. I'm running Limited right now, and I have no problem. Granted, I have to set the ACLs on both directories and registry settings, but it's never been very hard. The only program I've never been able to run as non-admin is a game called "Children Of The Nile", and I still don't know how to run it as a Limited User.

So, you are supporting your claim that you can run in Limited User on XP by arguing that even you have been unsuccessfully able to run a program in Limited User?

Warning: TFA is unreadable (4, Funny)

jeblucas (560748) | more than 8 years ago | (#15265309)

I went to the first three pages, which corresponds to about the first 19 words of this "article". He has room for about a sentence and a half and a graphic of the windows he's complaining about before you have to click (more) or Next >>. In fact, I can confidently say

(more) [jebshouse.com]

Re:Warning: TFA is unreadable (4, Funny)

jeblucas (560748) | more than 8 years ago | (#15265372)

...that this is the most annoying article I've seen posted in a long time. I even tried the "trick" of looking at the "Print this Article" and "Email This Article" links, which actually want to PRINT SOMETHING (it opens a Print dialog) or email a LINK to one page of the article. Garbage garbage garbage.

Re:Warning: TFA is unreadable (1)

jandrese (485) | more than 8 years ago | (#15265504)

Yeah, my first reaction was to use the "print this article" feature, only to discover that it's just a javascript:print() button, and it's going to print out the 12 or so words of actual content AND the 30 graphics on only that one page...

Seriously, who designed that page?

Re:Warning: TFA is unreadable (1)

dynamo52 (890601) | more than 8 years ago | (#15265615)

Firefox's antipagination [mozilla.org] extension doesn't work either.

Metrics (1)

InfiniteWisdom (530090) | more than 8 years ago | (#15265583)

I just measured things on my 1280x1024 screen. Excluding browser menus, toolbars, scrollbars etc, the window is 1265x856 pixels. The content occupies a 414x331 portion of the screen. This means that 87.3% of the area is junk.

Well, it figures (5, Funny)

Giant Ape Skeleton (638834) | more than 8 years ago | (#15265311)

With more and more people using Firefox, all those popups had to go somewhere...

Re:Well, it figures (1)

Duhavid (677874) | more than 8 years ago | (#15265380)

So, are you claiming that there is a conservation of popups law?

Where were they all before computers started doing popups?

Re:Well, it figures (1)

mctk (840035) | more than 8 years ago | (#15265405)

They were being designed!

Re:Well, it figures (3, Funny)

Keith Russell (4440) | more than 8 years ago | (#15265422)

Where were they all before computers started doing popups?

X10 was the big bang.

Re:Well, it figures (1)

Duhavid (677874) | more than 8 years ago | (#15265481)

Hard to call it a big bang. Times 10 is only
one order of magnitude greater..

Re:Well, it figures (1)

tgone (956916) | more than 8 years ago | (#15265447)

I support FF because they believe in web standards. Too bad 1.5.0.2 is one of the buggiest programs I've ever used though...

Re:Well, it figures (0)

Anonymous Coward | more than 8 years ago | (#15265539)

So switch to Opera? FF isn't the only thing that support web standards... and (IMO) it's hardly the best.

Re:Well, it figures (0)

Anonymous Coward | more than 8 years ago | (#15265633)

Opera > FF

I wish they would fix XP's account control (5, Insightful)

Oldsmobile (930596) | more than 8 years ago | (#15265316)

I wish they would work a bit on account control on WinXP, it is a total disaster. I WANT to use my computer as a limited user, but when I need to do something in Administrator, I shouldn't be bothered to switch users. Why oh why can't they just make it so that is asks for the admin password like with every other goddamned OS!?!

Vista is nice and all that, but how about fixing XP first!!!!

Re:I wish they would fix XP's account control (2, Informative)

kansei (731975) | more than 8 years ago | (#15265384)

There is no need to switch users.

- You can right-click on any program and select "Run As", type the admin credentials.

- For systems functions, "Run As" IE (as an admin) and change to the Control Panel in the address bar.

- From the command prompt, you can use the "runas" command.

Re:I wish they would fix XP's account control (1)

Oldsmobile (930596) | more than 8 years ago | (#15265421)

Yes yes, I know, that's what I mean is really annoying, why not just ask for an admin password straight up?

Of course if there is a program that requires admin rights, it will just tell you (and sometimes it WON'T even tell you) that you don't have the rights to do this or that.

Also deleting stuff that has been say, placed on the desktop with admin privliges is a bother and the list goes on. Everything would be fine if it would simply ask me every time there is a problem for the admin password.

Re:I wish they would fix XP's account control (0)

Anonymous Coward | more than 8 years ago | (#15265528)

For systems functions, "Run As" IE (as an admin) and change to the Control Panel in the address bar.

There's a more versatile way to solve this.

* log on to your preferred administrator account
* open explorer (the file kind) and go to Tools/Folder Options
* on the View tab, "Launch folder windows in a separate process"
* OK, Log off

You'll now be able to start an instance of explorer for that administrative account under any another account. There are a few annoyances to deal with (the shell doesn't receive notification this way so you'll have to manually refresh a lot when you do file operations in that explorer instance) and a few obvious things to note (running programs will inherit the administrative account's credentials, and not the running user's, etc).

Re:I wish they would fix XP's account control (1)

Trigun (685027) | more than 8 years ago | (#15265394)

runas command not good enough? I haven't had any problems with it.

Re:I wish they would fix XP's account control (2, Insightful)

jawtheshark (198669) | more than 8 years ago | (#15265408)

RunAs does that pretty much for you. For example: I want to run Programs->Administrtive Tools->Computer Management. I navigate to that option, hold down shift and right-click and then I select "Run as". The system asks me my Administrator password and I don't have to log off.

This also works with Internet Explorer, which gives you pretty much access to the full file system... Including ACLs (if you run XP Pro... else you'll need to learn the cacls command on the command line)
You can also invoke runas in the command line by the way...

Re:I wish they would fix XP's account control (0)

Anonymous Coward | more than 8 years ago | (#15265432)

Why would MS put this feature in XP when they can instead milk cash from their loyal sucke^Wusers?

Re:I wish they would fix XP's account control (0)

Anonymous Coward | more than 8 years ago | (#15265448)

Vista is nice and all that, but how about fixing XP first!!!!

Just think of Vista as Service Pack 3. That's about right by now.

(-27, troll)

Re:I wish they would fix XP's account control (0)

Anonymous Coward | more than 8 years ago | (#15265473)

Why oh why can't they just make it so that is asks for the admin password like with every other goddamned OS!?!

Runas [google.com] is your friend.

Part of their master plan (1)

suggsjc (726146) | more than 8 years ago | (#15265518)

Vista is nice and all that, but how about fixing XP first!!!!


How else are they going to get you to upgrade?
Look, our new OS doesn't suck as much as the one of ours that you are currently using. For only $100's more you can "upgrade" and probably have to buy new hardware to run it on as well.

First post (0)

Anonymous Coward | more than 8 years ago | (#15265317)

I saw screenshots of 5365 (and tried it) and now whenever you do one of the several operations that triggers the authentication prompt, it goes into some "Secure Desktop" mode. I say that is:
1. Way too confusing for users seeing that you can't go to anything in the background while the dialog is there, and anyway
2. It's a really stupid gksu rip.

Come on, there needs to be better ways to get security across than raping people just to change their cursor theme. (it doesn't do that but I bet it will in the RTM considering all of those "free mouse cursor ads")

Didnt like it... (3, Funny)

Virtual Karma (862416) | more than 8 years ago | (#15265318)

I didnt quiet like the dialoge boxes because all of those are jarred on the right and bottom borders, as if someone has tore them off..... oh! wait...

Re:Didnt like it... (0)

Anonymous Coward | more than 8 years ago | (#15265363)

Please tell me that English is not your first language.

Windows experts? (5, Funny)

Anonymous Coward | more than 8 years ago | (#15265324)

"I explain why these prompts appear and why some so-called Windows experts miss the obvious reason (and the obvious fix)."

Well, good thing MS targets this OS exclusively to Windows experts. What utter fools we've all been for assuming this would effect our non-expert friends and families!

To much work to read... (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15265334)

I was really interested in reading this, but I gave up after the third page. The second and third pages had... maybe twenty words between them? What a joke.

Can you see it now... (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15265339)

Nothing to see it here... move on...

Gah... Useless link. (0)

Anonymous Coward | more than 8 years ago | (#15265346)

I just... Next >>
Love reading... Next >>
Things... Next >>
Like these... Next >>

Seriously, don't bother visiting the site, or you'll destroy your mouse by the zillion clicks needed. I'm not exaggerating. I haven't had the patience to click through it all, but I wouldn't be surprised if it spanned through 20+ pages.

Next >>

It's nice! (1)

CCFreak2K (930973) | more than 8 years ago | (#15265347)

It's about time something like this came into Windows. Programs will fail with cryptic error messages if they don't have access to some part of the system. Usually it's because it wants write access to something in Program Files, which isn't writeable under normal circumstances by restricted users. I think quux on freenode said it best (I may have misquoted):

thou shalt not write session data to the program directory!


Unfortunately, most of the time, the program doesn't even tell you why it had the error. I know that 3D Studio MAX 8 may or may not work if you run it under a LUA.

Now, I won't fault anyone in particular for this (it's both Microsoft's fault and the programmer's fault), but it's nice that something like this is finally coming.

Answers: (0)

Anonymous Coward | more than 8 years ago | (#15265353)

In this post, I explain why these prompts appear (it's Windows) and why some so-called Windows experts miss the obvious reason (and the obvious fix (Linux) ).

bitter irony? (4, Insightful)

Burlap (615181) | more than 8 years ago | (#15265370)

anyone else see the irony in an article talking about annoying click-throughs needing so many bloodly clicks to read?

Re:bitter irony? (2, Insightful)

jandrese (485) | more than 8 years ago | (#15265574)

I thought it was genius myself. The Windows Vista experiance on your home machine today!

Just wonderful (2, Insightful)

Tibor the Hun (143056) | more than 8 years ago | (#15265371)

fucking teriffic...
3 series of articles, half a dozen pages each, just to tell me why I have to slow down my workflow when deliting or renaming files.

*BSD is Dead (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15265386)

Vista rocks.

Tough shit, *BSD fags.

do7l (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15265390)

be fun. It ^used [goat.cx]

Funny stuff! (0)

Anonymous Coward | more than 8 years ago | (#15265530)

Hey that is worth the click. Trick or treat goatse.

How innovative. (2, Insightful)

C10H14N2 (640033) | more than 8 years ago | (#15265391)


The 70's called. They want their security model back.

Yawn. ...and yeah, these damned one-paragraph-per-page ad-whoring blog articles suck big time.

Re:How innovative. (1)

Trigun (685027) | more than 8 years ago | (#15265474)

ZDNet, Where Technology meets Business...

And business stabs tech in the face!

The options (4, Funny)

eclectro (227083) | more than 8 years ago | (#15265402)

This is the crux from the end of the article;

"How do you work around this annoyance? You have three choices:

        * You can take ownership of the files on the external drive. That gives your account Full Control permissions at all times and prevents other users on the same computer from changing the files unless they do so as an administrator.
        * Or you can change the permissions assigned to the Users group so that members of that group have Write or Full Control permissions. That solution allows everyone with a user account on the computer to manage files without having to OK a consent dialog box."
        * Or you can play a Sony music CD with a rootkit."

Re:The options (4, Insightful)

jandrese (485) | more than 8 years ago | (#15265555)

Those sounded like terrible solutions to me. Basically: manually adjust the permissions of every file you create or turn off the security stuff and pray.

I'm hoping that these articles are hyperbole and in fact when you create your own files you are marked as the owner with read/write/execute permissions on them. Granted, administration looks like a total nightmare, but MS has been working for years to make administration as hard as possible so this is no big surprise.

What I think the real fix should be: When you get a dialog box like this, there's a "validate me for X minutes" option that you can check to tell the machine that you're going to be administrating for some minutes and stop showering me with dialog boxes. Sort of like how most modern operating systems work.

Summary... (4, Insightful)

MosesJones (55544) | more than 8 years ago | (#15265404)

If you made your user "superuser" on a Linux box, the did a kernel upgrade and decided this was stupid so just allowed you to sudo certain commands then you'd have a devil of a time accessing all those files that you created while you were the super user.

Or put more simply

XP didn't have sudo so you were always admin, Vista has sudo, enabled via annoying popups rather than a config file.

Re:Summary... (1)

ivan256 (17499) | more than 8 years ago | (#15265570)

Close, but no.

XP didn't have sudo so you were always admin, Vista has sudo, enabled via annoying popups rather than a config file.

It's not the config file part that is broken, it's the UI part.

You see, first of all sudo specifies you want the permissions up front rather than asking for permission after the fact. If you try to do something using the legacy windows APIs, and you don't have permission, you shouldn't get a series of popups, the program's system call should fail, and the program should die. Programs should either ask you for permission (once) up front (like installers do on OSX), or you should specify that a program should run with permissions (via the right click menu "Run As..." or maybe with a modifier key held down). Second, sudo caches your authentication, so if you want to do multiple privlidged operations in a row, you aren't continually annoyed.

It's the post-authentication rather than the pre-authentication that Microsoft got wrong though. Microsoft clearly doesn't get it, and this implementation is completely broken.

Executive Summary: (4, Insightful)

darkonc (47285) | more than 8 years ago | (#15265413)

The new Windows 'protection' scheme will browbeat the user until they disable the security system (in some way or another).
That way, when the inevitable virus and spyware hits the system, Microsoft can wash their hands and say that it's all the user's fault for making use of their computer bearable.

Article text (0)

Anonymous Coward | more than 8 years ago | (#15265416)

Thank goodness for antipagination

A fresh look at Vista's User Account Control, Part 2
Posted by Ed Bott @ 6:59 pm

In the first post in this series, I provided a close-up look at a major new security feature in Windows Vista. User Account Control (UAC), which will be enabled by default in all versions of Windows Vista, monitors a user's actions and prompts for an administrator's credentials before allowing any action that has a potential impact on system security.

The UAC prompts I depicted in the first post are those that appear when you install a program, when you run a program that requires access to sensitive locations, or when you configure a Windows setting that affects all users. But as many beta testers have discovered, UAC prompts can also show up when you perform seemingly innocent file operations on drives formatted using NTFS.

In this post, I explain why these prompts appear and why some so-called Windows experts miss the obvious reason (and the obvious fix).

File operations trigger a UAC prompt anytime you try to do something with a file or folder where your current set of user rights doesn't grant that access. For example:

If you try to create a new file in a system folder, you see this dialog box.

[pic]

f you try to delete a file, or create a new subfolder, or move a file, or do anything that directly affects the file system in a drive or folder whose contents are restricted to administrators, you see this dialog box:

[pic]

Similarly, if you try to rename a file or folder in a location where you don't have explicit rights to do so, you see this dialog box:

[pic]

In all three cases, your clue that UAC is involved is the Windows shield on the Continue button. When you click that button, the regular desktop fades to gray, the Secure Desktop appears, and you see the following consent dialog box:

[pic]

So, why does this happen? These dialog boxes appear when Windows Vista security meets NTFS permissions, which are stored in Access Control Entries (ACEs) applied to file system objects and displayed in Access Control Lists (ACLs). UAC is new; NTFS ACLs are old. But most Windows users, even some with years of experience, don't understand how ACLs work. And changes in the Windows Vista security model mean that a lot of people will be very frustrated until they understand how to work with those permissions.

Here's the problem, stated as simply as possible:

When you use Windows XP, you are almost certainly using an account that belongs to the Administrators group. (The challenges of running as a Limited user in XP are well documented.) As an administrator, you can do just about anything with just about any file. The exceptions are rare - you're locked out of the folder that contains System Restore files, for instance - but for the most part, if you can see it, you can change it.

That all changes in Windows Vista. When UAC is enabled, all users run as standard users. That's true even if you're logged on using an account in the Administrators group. Your working environment, including Windows Explorer, has the rights of a standard user account, and you can only run applications with administrative privileges if you provide explicit consent. In technical terms, your parent process token is that of a standard interactive user.

If you try to delete a file, or create a new subfolder, or move a file, or do anything that directly affects the file system in a drive or folder whose contents are restricted to administrators, you see this dialog box:

[pic]

Windows sees that the Users group has Read permissions only on that folder, and it has no way of knowing that you created the folder on another computer and that you should be listed as the Creator-Owner of all those files. It applies permissions based on the standard user process token and tells you if you want to change anything you'll need to supply your Administrator credentials.

How do you work around this annoyance? You have two choices:

        * You can take ownership of the files on the external drive. That gives your account Full Control permissions at all times and prevents other users on the same computer from changing the files unless they do so as an administrator.
        * Or you can change the permissions assigned to the Users group so that members of that group have Write or Full Control permissions. That solution allows everyone with a user account on the computer to manage files without having to OK a consent dialog box.

The problem with both of these solutions is that they require a level of technical knowledge that the overwhelming majority of Windows users simply don't have. Using the default settings of Windows XP, in fact, file permissions are completely hidden. This poses a potential support nightmare for Microsoft, which will have to deal with frustrated users who just want to get to their data files. Many of them, in fact, will simply choose to turn off UAC as a way of coping with the complexity by eliminating it.

In the final installment of this series, I'll offer some possible solutions that Microsoft can implement to strike the proper balance between security and convenience and prevent a full-scale mutiny when Vista ships.

Soon, Same As It Ever Was (4, Insightful)

ausoleil (322752) | more than 8 years ago | (#15265419)

Microsoft is trying to make users have good hygiene -- that is, don't run as a super-user unless you need to. Well-meaning and well intended -- and a good idea. Ultimately, however, Aunt Sally is not going to deal with it for long, and you, the unofficial family Helpdesk tech, are not going to like all of the calls you get from apoplectic relatives dismayed that they suddenly can't open this that or the other because they do not understand the paradigm.

What will happen is what always happens: when there is a "problem" someone "fixes" it. In this case, the "problem" is the security model. I suspect that there will be a 3rd party "fix" that blasts through all the well-meaning security and basically restores the user-as-root scenario that Windows has operated in since forever.

Re:Soon, Same As It Ever Was (2, Interesting)

dr-suess-fan (210327) | more than 8 years ago | (#15265486)

I always thought the best model for Aunt Sally would be a keyswitch on the front of the computer. Similar to those round-key locks that used to prevent boot-up.

If a program wants write access to Program Files, a dialogue box will pop up asking the user to turn the keyswitch to admin mode.

Now, hopefully Sally won't turn the keyswitch unless she knows she's trying to install something.

Re:Soon, Same As It Ever Was (1)

wo1verin3 (473094) | more than 8 years ago | (#15265498)

>> Microsoft is trying to make users have good hygiene

Hah. Good luck on that with the slashdot crowd.

Annoying slideshow article.. (1)

wfberg (24378) | more than 8 years ago | (#15265424)

Damn, that's annoying.. having to click next a zillion times to "read" (mostly pictures) the "article".. And the remarkable revelation? You'll be getting popups because of restrictive file permissions! Well, gee, I would certainly never have figured out THAT was the reason for popups that say "you lack the required permissions"....

No? (0, Redundant)

BoxSocial (945632) | more than 8 years ago | (#15265434)

I don't understand.

Take this goddamn article down. (0, Redundant)

Gannoc (210256) | more than 8 years ago | (#15265450)


Seriously. How many pages was this article for how much text? ./ shouldn't reward this type of bullshit ad-revenue-sucking crap with more hits.

Lame article, Lame suggestions (3, Insightful)

flakier (177415) | more than 8 years ago | (#15265451)

So, in the end he recomends giving Users full control or write access as means to get around the annoyance. Hell, why dont we just chmod -R 777 /* and end all the "annoyances" of my Linux box too while we're at it?

Can't he just suggest that application designers get a clue and write apps that don't write uneccesarily to sensitive areas of the system? Hopefully annoyed end users will "motivate" lax companies when this happens instead of working around the issue.

Windows expert? (1)

anzev (894391) | more than 8 years ago | (#15265465)

Hm, I fail to see the point in having written such an article. It helps me solve nothing I couldn't really have solved myself, it explicitly states that the average user can't do this because they don't know how -- rather insulting them than helping them.

But what's even more funny is that, in the end of the article the author says that in his final instalment he will write a few suggestions HOW MICROSOFT COULD SOLVE THIS PROBLEM. Ok, that's something we really need, a smart-ass teaching MS developers how to do something... I mean, why waste valuable internet space. I hope the author realizes that nobody at MS will even consider his solutions.

I think this is a blatant attempt to just get paid by the page, even if the page contains nothing more than an image, I mean, come on, and a blatant attempt at free advertising on slasdhot. I fail to see why this even makes good news. But, that's just my two cents.

Turn it off? (1)

BSAtHome (455370) | more than 8 years ago | (#15265469)

Well, you can turn UAC off? How about that for a security measure... A joke would be cheaper to develop than vista. sigh...

finally (1)

MyDixieWrecked (548719) | more than 8 years ago | (#15265480)

I'm glad windows is finally gonna know how to say "I need credentials, please provide an administrator password" when you want to do something that requires said permissions.

OSX's been doing this for 6+ years. It's annoying to always be hit with a "permission denied" error when trying to do things as a limited user, then realizing that I've gotta log out and back in as an admin.

all I can say is FINALLY.

Re:finally (1)

wandazulu (265281) | more than 8 years ago | (#15265520)

You don't need to log out and back in as an admin in OSX...just supply the username and password of an admin on the box.

Flamebait (4, Insightful)

ewhac (5844) | more than 8 years ago | (#15265501)

So how is it that running as a "limited user" under Windows is an arcane, difficult process, whereas doing so under UNIX is nearly trivial?

I'm not saying UNIX is "better," since the primary issue here is social, not technical. If UNIX were in Windows' shoes, then third-party applications and slickly packaged malware would be popping up dialogs reading, "This application requires root priviliges to install. Please enter the root password: _____" So UNIX's user model doesn't really solve the base problem. However, I've been using Windows (mostly for gaming) for a while now, and I run with administrative privs all the time, because running as a limited user (in the UNIX sense) just doesn't work. Or, perhaps more precisely, it doesn't Just Work.

So what's the deal?

Schwab

We're all lucky (1)

reverend_rodger (879863) | more than 8 years ago | (#15265514)

Good thing we'll never have to worry about these issues, since Vista seems to be delayed at least once a month.

just change your thinking... (1)

DoctorDyna (828525) | more than 8 years ago | (#15265526)

Every time that box pops up, just think to yourself:
"Good thing spyware can't click this button."

Re:just change your thinking... (0)

Anonymous Coward | more than 8 years ago | (#15265586)

"Good thing spyware can't click this button."

yet

OT: sig reply (1)

NotQuiteReal (608241) | more than 8 years ago | (#15265610)

Vehicle Collision Detected! Deploy Airbags?

[YES] [NO] [CANCEL]

You selected YES - please enter administrator password:

Interesting only because... (1)

xx01dk (191137) | more than 8 years ago | (#15265531)

everyone's still bummed out about the delays announced in the past few weeks. It's almost like someone is pulling the strings thusly:

PR machine: "Yeah, we know you feel real let down by the delay but OOH, LOOK! Something SHINY! Right.. over.. THERE!"

Teaming masses: "Ooh, we love shiny things. Vista is going to be so great again!"

Games -vs- firewalls (2, Interesting)

MobyDisk (75490) | more than 8 years ago | (#15265536)

I'm curious how this handles applications that constantly modify system settings inappropriately. Does it prompt you every time, or just once? Does it remember the setting? Ex: Most games still save their save files into C:\Program Files. When I save my game, am I booted from my DirectX environment back to the desktop to answer the prompt? If so, does it happen every time I save? Or can it work like a firewall and say "let me do this every time."

Oh No... (2, Funny)

googleaseerch (682399) | more than 8 years ago | (#15265593)

The UAC's involved in this now, too? All hell's gonna break loose.

just turn it off (1)

signore pablo (544088) | more than 8 years ago | (#15265596)

ya know, i have been running vista 5365 and the first thing I did was to turn off UAP... It's still horribly implemented and the screen black out is kind of annoying too.. i know why they did it, because of the supposed spoof that could be displayed where users click ok thinking its the cancel button, but it would have been better if the screen simply faded to gray rather than look like a resolution change to the input screen... also, its still waaay too frequent. when you have to enter your password for deleting shortcuts thats silly... furthermore, i personally think that it should be more like web browser password memory. while you have one particular section open, you put your password in once and it works until you close that particular section, such as the device manager section or copying files to a location or something like that. It needs to have better AI. The good news is they'll have plenty of time now that Vista has been delayed to fix that :D. Vista can be better than XP. Given that its been 5+ years since XPs release thats not too much to ask for, but I wish it could have been better. Aero is not as nice as aqua but if microsoft releases the API for aero and makes application developers able to integrate their gui better into aero, that will go a long way. Right now, many applications stick out a bit with the transparent windows and nothing else that blends into that theme. IE7 and media player look better in Vista because they were designed for it. Hopefully this won't be like the Office API where that looked nicer than the API that other developers were given to develop with. (i dont know too much about that but anyway better application integration with aero would be a big plus) We'll see how it turns out...

oh, those are the simple solutions (1)

stinky wizzleteats (552063) | more than 8 years ago | (#15265607)

Here are the simple solutions all the windows experts are missing:

Set yourself up as the owner of all files on the drive.
Set full permissions to all files to the "user" group.

Oh gosh gee. I don't know how we could have been so stupid. Please forgive us for doubting the security, power, and flexibility of Microsoft operating systems.

Dear Microsoft "experts": You just permanently lost the user privilege security argument, and you probably don't even know why.

easy to fix (2, Funny)

rcamans (252182) | more than 8 years ago | (#15265618)

I got this from somewhere:

        Start an elevated command prompt window, and from that window run secpol.msc.

        Find all the policies that start with "User Account Control" (there are only, like, six of them) and set them to either no prompt or disabled.
That's all there is to it. You'll never need to "run elevated" and you'll never be bothered by those pop-ups again

Thank you, whoever posted this fix.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...